Subscribe to SearchCap

Recent Findings On Captcha & The User Experience

The opinions on what makes a form or Web application user friendly may vary but most everyone dislikes Captcha fields. Some Captcha’s are so difficult to decipher they actually increase form and page abandonment.

Along with the freedom the Internet provides humans, it is unfortunately humans who also created barriers to our free flow of information. It’s uncanny the amount of search engine marketing money spent to bring people into websites, only to chase them back out because they must prove they are indeed, human.

Spam helped create the need for Captcha. To defend ourselves from the onslaught of unsolicited and unwanted information that comes in the form of blog comments, log in, purchasing tasks and forums discussions, we must first solve a puzzle.

What Is Captcha?

We commonly see them in the form of letters, sometimes mixed with numbers, which are presented in wavy, bold and italic fonts that try our patience.

You may come upon a registration form that will not accept your information until you solve a math problem like 2 + 7 or answer a question such as “Who was buried in Grant’s tomb?” Images and video are also used for Captcha.

The purpose of Captcha is to find a way to prove that you’re a human being and not a computer with abuse on its agenda. However humble and helpful the original goal, today there is software available to bypass Captcha’s, as well as humans paid to solve Captcha for companies who wish to do harm. Some regular website maintenance now includes regularly changing existing Captcha’s because it doesn’t take long for machines to figure out what sites use what form of Captcha.

Other reasons for wanting Captcha include preventing identity theft and fraud, computer viruses, spyware and hackers, phishing and bogus online transactions. Research shows that simply relying on passwords is not helpful for security because of password dictionaries and the overwhelming tendency to create easy, common passwords.

Do we really need additional help beyond passwords? Yes.

According to various sources such as the CSI, FBI and the Computer Security Institute, the costs of Internet crime and security breaches run in the billions of US dollars. Companies loathe going public with breaches for fear of the negative public reaction and stock market response. No wonder we’re forced to tolerate Captcha’s.

Usability Issues With Captcha

So much effort goes into making secure Captcha’s machines can’t possibly solve, studies show that people can’t solve them either. One of the worst Captcha presentations is when only one option is offered. Should it not be readable or easy to decipher, the form can’t be completed. It’s important to allow your users to refresh the screen until they find one they can understand.

One source noted the average person has between 7 and 25 accounts they log into every day (source). Because of the severity of the lack of trust, companies force users to authenticate who they are. In the course of one day, you may find yourself facing a Captcha field many times.

Other findings from various research include:

When we presented image Captcha to three different humans, all three agreed only 71% of the time on average.

Audio Captcha are much harder than image Captcha.

Some Captcha schemes are clearly harder for humans than others.

Non-native speakers of English take longer to solve Captcha, and are less accurate on Captcha that include English words.

Humans become slightly slower and slightly more accurate with age.

Ph.D.’s are the best at solving audio Captcha.

Image based Captcha is not accessible to blind users.

Poor accessibility for Captcha includes those with intellectual and developmental disabilities.

Splitting the image into regions which each contain a single character, called “segmentation”, and is found to be the most reliable for humans.

Spammers pay about $0.80 to $1.20 for each 1,000 solved CAPTCHAs to companies employing human solvers in Bangladesh, China, India, and many other developing nations.

Contrary to the common belief, text-based CAPTCHAs can be difficult for foreigners.

The use of color in a CAPTCHA can have an impact on its usability, security or both.

Distortion has a clear impact on the usability of CAPTCHAs. Users find it difficult or impossible to

recognize over-distorted characters.

Tools To Implement Captcha

For the time being it appears as though we’re forced to live with Captcha.

The following are some suggestions for tools and ways to create your own.

ReCaptcha (from Google)- http://www.google.com/recaptcha

How to Create a CAPTCHA Code – http://www.ehow.com/how_7335023_create-captcha-code.html

Securimage – Free PHP code http://www.phpcaptcha.org/

Captcha confusion may be overlooked when analyzing web site or Internet application performance. We don’t often see a tick box nearby that might alert a site owner that a user could not submit the form because of its Captcha setup.

A wise reader of this column suggested this topic and for good reason. When conversions are at stake, Captcha is worth understanding and investigating to be sure it doesn’t create a negative impact on your site’s success.

Some opinions expressed in this article may be those of a guest author and not necessarily Search Engine Land. Staff authors are listed here.

Attend MarTech and hear first-hand how brands like Coca-Cola, Aetna, Dell, EMC and Netflix are harnessing the power of technology to produce exceptional customer experiences that deliver business results. Visit with over 60 companies in expo hall. Don't miss the only US-based MarTech conference this year. Register today!

Sponsored

Captcha is poison to site usability. It frustrates regular users and completely discriminates against disabled users. It’s surely not the best way to secure a webpage.

Using MD5 authentication we can seamlessly block bot form submissions and provide this solution in beta at SiteBrains .

http://www.visionefx.net Rick Vidallon

SCREW CAPTCHA… I LOVE SPAMMERS

As a business owner I prefer not having any blocks or hurdles between me and a potential customer. When you have any security script installed in your web form then all it takes is one entry mistake for a number or character and the form submission will fail and ask them to try again. For someone who is in a hurry, prone to keyboard mistakes or has difficulty seeing their screen up close; this can be extremely frustrating.

This is why I do not have any security scripts on my website contact or inquiry forms. Although I use Postini, I still have to deal with spam.

If you want customers to contact you, it’s best to keep it simple and easy to do. I would rather see my daily in box filled with 1000 spam emails and two new website customer inquiries versus having no customer leads at all.

My message to the spammers and marketers..
‘Bring it on… because I have the fastest delete keystroke in town’.

http://www.vouchsafe.com Chris

I have been trying for some time to stimulate some real discussion on CAPTCHAs and usability. Basic CAPTCHAs are hard enough, while audio CAPTCHAs seem like a mean-spirited joke on the visually impaired.

My company has created a new technology to replace CAPTCHAs called VouchSafe, and one of the key things we focused on (in addition to usability and security) was accessibility. We worked really hard on developing an audio solution that would be easy to hear and understand, and we’ve been continuing to improve it.

The problem we discovered is that when it comes right down to it, very few site operators actually care about accessibility. The merest symbolic gesture toward accommodation seems to be enough, and very few people actually take the time to try the software from the perspective of a blind person. Most reCaptcha implementations don’t even enable keyboard shortcuts to activate the challenge – but how in blazes is a blind person supposed to find the button with their mouse?

I find Captcha really difficult to solve and sometimes it makes me not complete the form or transaction. But the simple equations, or trivia questions are fine. Do these pose a spam threat, or could these be used more often instead of Captcha words?

Personally I avoid at all costs – sometimes it turns into a quiz which is a step to far for most users – there are ways of beating spam though – I recently implemented a hidden field technique that places a field in the form that users won’t see but bots will – so if that field gets filled in, you know it’s spam and just ignore the form submission – so far this has been a great success, there is more on this technique in the blog post I wrote:

Captcha is an absolute pain. Even had to think about whether I could be bothered writing this comment because of the need to fill in a captcha field to submit it!

I’m surprised that there isn’t a greater use of “reverse captcha”, which can be a positive way of implementing many of the advantages of captcha without the problems that face an end user. The general principle is very simple; forms have a hidden field. A bot will fill in that field with what it thinks is relevant information. A human user won’t see the field at all. Verification checks if the field is empty or not, and if it’s not then it knows that it’s looking at a bot interaction.

http://www.gentlemedia.nl Ralph Echter

I don’t understand the whole captcha thing. There is no need for having these annoying captcha’s on a form just like the one here. If you handle security through your PHP mailer script than spambots can post whatever they want, but these messages goes straight into the ‘honeypot’ instead of your inbox. Seriously… no need for captcha if you code it right.

http://www.jasonzipperer.com Jason Zipperer

Requiring the user to “prove” they are human, is shifting our problem on to the user. Put in place a combination of server side fixes (honey-pot, page timer, etc.), and let users be.

http://www.gentlemedia.nl Ralph Echter

@dave_ashworth – I’ve read your comment after I posted my message, but this technique is exactly what I mean. Use a hidden field which spambots only see and fill out, and if this field is filled out the submission goes nowhere.

Andy

“Spammers pay about $0.80 to $1.20 for each 1,000 solved CAPTCHAs to companies employing human solvers in Bangladesh, China, India, and many other developing nations.”

How would the paymaster know how many Captchas the third-world spammer has solved? The mind boggles

There are lots of techniques now that mean that Captchas are not necessary on low-profile sites, but obviously the large the site the more of a juicy target it becomes for the determined spammer

Also, on your site. I have to sign in with Twitter and then enter a Captcha as well. Surely overkill.